JBoss Developer: Message ListMost recent forum messageshttps://developer.jboss.org/?view=discussionsJive Engage2012-03-06T20:11:50Z2012-03-06T20:11:50ZenRe: Problem with SAML2AttributeHandlerShane Freed/people/sfreed6533do-not-reply@jboss.com2012-03-06T20:11:50Z2012-03-06T20:11:50Z<!-- [DocumentBodyStart:f228e03f-467f-4422-acf7-5500bb59f9c1] --><div class="jive-rendered-content"><p>I did get the attributes to be returned from my LDAP via the Security Context using the following settings in my login-conf.xml...</p><p><br/>&lt;application-policy name="idp"&gt;<br/>&#160;&#160;&#160;&#160; &lt;authentication&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;mapping&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;mapping-module <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; type="attribute"&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="attributeList"&gt;cn,mail,extensionAttribute3&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="bindDN"&gt;CN=LDAPLOOKUP,CN=Users,DC=xxxx.com&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="bindCredential"&gt;xxxxxxx&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="baseFilter"&gt;(sAMAccountName={0})&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.factory.initial"&gt;com.sun.jndi.ldap.LdapCtxFactory&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.provider.url"&gt;ldap://localldaphost:389&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="baseCtxDN"&gt;DC=xxxxx,DC=com&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;/mapping-module&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;/mapping&gt; </p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" &gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.factory.initial"&gt;com.sun.jndi.ldap.LdapCtxFactory&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.provider.url"&gt;ldap://localldaphost:389&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.security.authentication"&gt;simple&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.referral"&gt;follow&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="bindDN"&gt;CN=LDAPLOOKUP,CN=Users,DC=xxxxx,DC=com&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="bindCredential"&gt;xxxxx&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="baseCtxDN"&gt;DC=xxxxx,DC=com&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="baseFilter"&gt;(sAMAccountName={0})&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="rolesCtxDN"&gt;DC=xxxxx,DC=com&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleFilter"&gt;(member={1})&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleAttributeID"&gt;cn&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleAttributeIsDN"&gt;false&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleRecursion"&gt;-1&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="searchTimeLimit"&gt;10000&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="allowEmptyPasswords"&gt;false&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="defaultRole"&gt;manager&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;/login-module&gt;<br/>&#160;&#160;&#160;&#160;&#160; &lt;/authentication&gt;<br/>&lt;/application-policy&gt;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>In my idp handlers I had the following settings for my SAMLAttributeHandler and my ATTRIBUTE_MANAGER. Notice the ATTRIBUTE_KEYS are the same as listed above.&#160;&#160;&#160; </p><p> &lt;Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler"&gt;<br/>&#160; &lt;Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/&gt;<br/>&#160; &lt;Option Key="ATTRIBUTE_KEYS" Value="cn, mail, extensionAttribute3"/&gt;<br/> &lt;/Handler&gt;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>The only change I made in the SAML2AttributeHandler, was to download the Handeler that Anil changed (listed in the post earlier) and changed one method. Notice what I block commented out and in which method.</p><p>&#160;&#160; @Override<br/>&#160;&#160; public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException<br/>&#160;&#160; {</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>&#160;&#160;&#160;&#160;&#160; super.initChainConfig(handlerChainConfig);<br/>&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160; log.trace("+++ initChainConfig begin +++&#160; ");<br/>&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160; // Commented out of original code as this caused the Attribute Manager to be reset to the Tomcat Attribute Manager.&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160; /*&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160; Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);<br/>&#160;&#160;&#160;&#160;&#160; if (config instanceof IDPType)<br/>&#160;&#160;&#160;&#160;&#160; {<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; IDPType idpType = (IDPType) config;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; String attribStr = idpType.getAttributeManager();<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; System.out.println("Instantiating = " + attribStr);<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; this.insantiateAttributeManager(attribStr);<br/>&#160;&#160;&#160;&#160;&#160; }<br/>&#160;&#160;&#160;&#160;&#160; */<br/>&#160;&#160;&#160;&#160;&#160; log.trace("+++ initChainConfig end +++&#160; ");<br/>&#160;&#160; }<br/>&#160;&#160; </p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I made no changes to the JBossAppServerAttributeManager, used it right as is was...<br/>&#160;&#160; <br/>Now the only problem I have left is on the other posts about the Attribute handler being invoked in the chain AFTER the response is already sent. Makes no sense why it is doing that, but it is clear in my case that the attributes I am getting above are never sent on the first response, but only if the original assertion expires and the SP requests a resend.</p><p>Weird but true, I am hoping someone can tell me how to fix that...</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><div class="mcePaste" style="position: absolute; top: 0px; left: 0px;"></div></div><!-- [DocumentBodyEnd:f228e03f-467f-4422-acf7-5500bb59f9c1] --><img src='/beacon?t=1481346217358' />2012-03-06T20:11:50Z4 years 9 months ago10Changing the Handler chain order?Shane Freed/people/sfreed6533do-not-reply@jboss.com2012-03-05T17:40:08Z2012-03-05T17:40:08Z<!-- [DocumentBodyStart:9dde2278-dfb4-4522-800a-0f093ffed266] --><div class="jive-rendered-content"><p>I have posted a discussion Topic in the developers forum with my findings as I have been searching for a solution to get attributes passed from IDP(originating from my LDAP server) to the SP in the SAML Response. </p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I have been able to get everything configured, except one item, and I don't see much information that will help me get past it, so I thought I would post here as well.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>It appears that my Attribute Handler gets invoked AFTER the response has already been created and sent, thus my attributes are not in it until the next request.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I have verified this by debugging the SAML2AuthenticationHandler, and see that the Response gets committed before the Attribute Handler gets invoked.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Is there a way to change the order in which the Handlers get invoked? I have tried to change the order in the Picketlink-handlers.xml file and that did not seem to work.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Thanks in advance...</p></div><!-- [DocumentBodyEnd:9dde2278-dfb4-4522-800a-0f093ffed266] -->2012-03-05T17:40:08Z4 years 9 months ago0Re: Timing Issues with communicating back to SP?Shane Freed/people/sfreed6533do-not-reply@jboss.com2012-03-01T15:59:21Z2012-03-01T15:59:21Z<!-- [DocumentBodyStart:8477f7fd-1830-4523-95c4-4266374747c0] --><div class="jive-rendered-content"><p>One thing I have noticed...</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>In my logs, I see that the IDPAuthentication handler always send the RESPONSE before the attribute manager has been invoked. That is why the attributes do not get sent with the first response. If I hit REFRESH on the browser, the browser just resends the same SAML REQUEST, and the IDP does not rebuild the RESPONSE as the original Asserion is still valid (Probably because my SKEW time is 60 Seconds).</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Anyway, once the Asserion expires, the second request will cause the RESPONSE to be reissued, and since the Attribute Manager put the values in the session AFTER the original reuest, it finds them, and sends them.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I have tried to adjust the order of my handlers to no success.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Is there a way to ensure the Attribute Manager gets invoked BEFORE the response is sent from the IDP backto the SP?</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Anyone???</p></div><!-- [DocumentBodyEnd:8477f7fd-1830-4523-95c4-4266374747c0] -->2012-03-01T15:59:21Z4 years 9 months ago0Re: Timing Issues with communicating back to SP?Shane Freed/people/sfreed6533do-not-reply@jboss.com2012-03-01T14:08:52Z2012-03-01T14:08:52Z<!-- [DocumentBodyStart:601add2c-18df-455f-9fd1-e955795fdd79] --><div class="jive-rendered-content"><p>Little more information...</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>When I submit my auth request and get a response back from the IDP, it does not contain the attribute I am sending (employee number, mail) but does contain my list of roles. If I refresh my browser , thus resending the request before the Assertion expires (in less than 60 seconds), the attributes are still not sent. However, if I refresh my browser (resending the request) after the Assertion expires (after 60 seconds), I get an error from the SPPostFormAuthenticator that says, "<strong>Assertion has expired. Asking IDP for reissue</strong>", and the response from the IDP contains my attributes and my roles.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Any ideas on this??</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Thanks!</p></div><!-- [DocumentBodyEnd:601add2c-18df-455f-9fd1-e955795fdd79] -->2012-03-01T14:08:52Z4 years 9 months ago10Timing Issues with communicating back to SP?Shane Freed/people/sfreed6533do-not-reply@jboss.com2012-02-27T19:10:33Z2012-02-27T19:10:33Z<!-- [DocumentBodyStart:bf2e41dd-ee01-46b3-a2fc-51de5ed8d53f] --><div class="jive-rendered-content"><p>I am not sure if I am right or wrong, but I found something interesting.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I have an IDP that connects to LDAP for authentication. It also passes some attributes to the&#160; SP identifying the user. I have set up a Map in the security context and have correcly debugged my Attributemanager to see that it does correctly get the attributes from my LDAP.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Whwn I connect to my SP, it does everything correctly, authenticates me, and authorizes me into the application, but I do not see my attributes passed to the SP form the IDP. It appears that the response to the SP is sent back from the IDP before the attributes are retrieved from my LDAP. If I run the&#160; <span style="font-size: 10pt;">SAML2AuthenticationHandler in debug mode, and slowly step through the code, letting the original request expire, and a "Reissue request" is sent to IDP from SP, then my attributes appear.</span></p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><span style="font-size: 10pt;">Any suggestions?</span></p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><span style="font-size: 10pt;">Thanks! - Shane</span></p></div><!-- [DocumentBodyEnd:bf2e41dd-ee01-46b3-a2fc-51de5ed8d53f] -->2012-02-27T19:10:33Z4 years 9 months ago20Re: Problem with SAML2AttributeHandlerShane Freed/people/sfreed6533do-not-reply@jboss.com2012-02-17T21:03:13Z2012-02-17T21:03:13Z<!-- [DocumentBodyStart:a495957a-5b74-4da8-97dd-76f0522e0cd0] --><div class="jive-rendered-content"><p>Sorry Anil... I do not understand your response to my question.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I have posted my application Policy from my login-config.xml. This can successfully authenticate and authorize me against our AD, and can will successfully let me into our SP from our IDP app.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>In my&#160; application Policy , I have the mapping module defined, but do not think its correct.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I am relatively new to JBoss, and have found too many different, conflicting examples.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I would like to see one example of how to map LDAP attributes so they are passed from IDP to SP.</p></div><!-- [DocumentBodyEnd:a495957a-5b74-4da8-97dd-76f0522e0cd0] -->2012-02-17T21:03:13Z4 years 10 months ago0Re: Problem with SAML2AttributeHandlerShane Freed/people/sfreed6533do-not-reply@jboss.com2012-02-17T20:01:06Z2012-02-17T19:39:19Z<!-- [DocumentBodyStart:9c722347-bb86-47a8-aed0-cd13a1692636] --><div class="jive-rendered-content"><p>I have seen this page a hundred times and have tried different variations of what it is saying to do, but have been unsuccessful.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>The directions here are not&#160; clear...</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I need to find instructions on this..."Configure the security domain of the IDP to also include mapping configuration for attributes." Here is how I am trying to map attribute values with LdapAttributeMappingProvider.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>&lt;application-policy name="idp"&gt;&#160; <br/> &lt;authentication&gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" &gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.factory.initial"&gt;com.sun.jndi.ldap.LdapCtxFactory&lt;/module-option&gt;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.provider.url"&gt;ldap://localldaphost:389&lt;/module-option&gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.security.authentication"&gt;simple&lt;/module-option&gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="java.naming.referral"&gt;follow&lt;/module-option&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="bindDN"&gt;CN=LDAPLOOKUP,CN=Users,DC=xxxx,DC=com&lt;/module-option&gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="bindCredential"&gt;xxxx&lt;/module-option&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="baseCtxDN"&gt;DC=xxxx,DC=com&lt;/module-option&gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="baseFilter"&gt;(sAMAccountName={0})&lt;/module-option&gt;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="rolesCtxDN"&gt;DC=xxxx,DC=com&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleFilter"&gt;(member={1})&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleAttributeID"&gt;cn&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleAttributeIsDN"&gt;false&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="roleRecursion"&gt;-1&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="searchTimeLimit"&gt;10000&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="allowEmptyPasswords"&gt;false&lt;/module-option&gt;<br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;module-option name="defaultRole"&gt;manager&lt;/module-option&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &lt;/login-module&gt;&#160;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160;&#160;&#160;&#160; &lt;/authentication&gt; <br/>&#160;&#160;&#160;&#160;&#160;&#160; <br/>&#160;&#160;&#160; &lt;mapping&gt;<br/>&#160;&#160;&#160;&#160;&#160; &lt;mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute"/&gt;<br/>&#160;&#160;&#160;&#160;&#160; &lt;module-option name = "attributeList"&gt;mail, cn&lt;/module-option&gt;<br/>&#160; &lt;/mapping&gt;</p><p>&#160;&#160;&#160;&#160;&#160;&#160; <br/>&lt;/application-policy&gt;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>BUT... </p><p>Every time I try to use the JBossAppServerAttributeManager class as the "ATTRIBUTE_MANAGER ", I get the following error...</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null</p><p> at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:227)</p><p> at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:641)</p><p> at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:383)</p><p> at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)</p><p> at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)</p><p> at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)</p><p> at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)</p><p> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)</p><p> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)</p><p> at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)</p><p> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)</p><p> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)</p><p> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)</p><p> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)</p><p> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)</p><p> at java.lang.Thread.run(Thread.java:662)</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>If I use the EmptyManager, everything works, but I get no values passed to the SP.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>In my investigation, I think I am using an older version of the jboss-security.jar file as I noticed that "MappingType.ATTRIBUTE" doesnt exist in the jar file I am using, although the value is used by the JBossAppServerAttributeManager.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I have a fresh install of jboss as 5.1.0 installed. Am I using a wrong version?</p><p><em style="color: #2a00ff; font-size: 10pt;"><em style="color: #2a00ff; font-size: 10pt;">&#160; </em></em></p><p style="min-height: 8pt; padding: 0px;"><em style="color: #2a00ff; font-size: 10pt;"></em> &#160;</p><p style="min-height: 8pt; padding: 0px;"><em style="color: #2a00ff; font-size: 10pt;"></em> &#160;</p><p style="min-height: 8pt; padding: 0px;"><em style="color: #2a00ff; font-size: 10pt;"></em> &#160;</p></div><!-- [DocumentBodyEnd:9c722347-bb86-47a8-aed0-cd13a1692636] -->2012-02-17T19:39:19Z4 years 10 months ago50Re: Problem with SAML2AttributeHandlerShane Freed/people/sfreed6533do-not-reply@jboss.com2012-02-17T15:01:10Z2012-02-17T15:01:10Z<!-- [DocumentBodyStart:4fae9ace-6b03-4fbe-a875-c61b71935c1c] --><div class="jive-rendered-content"><p>I am wondering the same thing, but more important, I do not know where to configure the Attribute Handler in the Security contect for LDAP.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Are there any working examples of this config? I will keep looking...</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Thanks!</p></div><!-- [DocumentBodyEnd:4fae9ace-6b03-4fbe-a875-c61b71935c1c] -->2012-02-17T15:01:10Z4 years 10 months ago90Re: Problem with SAML2AttributeHandlerShane Freed/people/sfreed6533do-not-reply@jboss.com2012-02-16T17:32:55Z2012-02-16T17:32:26Z<!-- [DocumentBodyStart:d91cbef2-f45a-44d4-a76b-af3105062dc2] --><div class="jive-rendered-content"><p>Wow Oved, that's alot of good information. Thanks for taking the time to publish it.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>My problem is that I am using 2 authenitcation sources (AD / DB) for authehtication. I need to somehow get these sources to provide an attribute to the Attribute Manager, or something like that.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>I did notice the problem you had in the Attribute Handler mentioned in number 2 in your list.... in addition to the if statement dont forget to change:</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p><span style="color: #7f0055; font-size: 10pt;"><strong style="color: #7f0055; font-size: 10pt;"><strong>protected<span style="color: #000000; font-size: 10pt;"> AttributeManager </span><span style="color: #0000c0; font-size: 10pt;">attribManager</span><span style="color: #000000; font-size: 10pt;"> = null</span></strong></strong></span> </p><p style="min-height: 8pt; padding: 0px;">&#160;</p><div class="mcePaste" style="position: absolute; top: 0px; left: 0px;"></div></div><!-- [DocumentBodyEnd:d91cbef2-f45a-44d4-a76b-af3105062dc2] -->2012-02-16T17:32:26Z4 years 10 months ago130Re: Problem with SAML2AttributeHandlerShane Freed/people/sfreed6533do-not-reply@jboss.com2012-02-16T14:52:29Z2012-02-16T14:52:29Z<!-- [DocumentBodyStart:9cf12615-2251-4d63-85c0-e4e3640fb439] --><div class="jive-rendered-content"><p>Again, I am having the same problem. I am not sure if there is a default way of getting attributes passed or not.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>My situation may be a bit different in that I am tying my authentication to LDAP and need to pass some LDAP attributes (i.e. "mail", or "surname") passed to the SP from the IDP.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>There are lots of fragmented examples, and I am trying to put them together but it is confusing. I may have to create a custom AttributeManager to do this, unless you can specify some other way.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Overall, I am impressed with this functionality, just need to finalize this process.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Anil, we are also looking at getting a subscription for EPP, shich I understand is integrated with PicketLink. Does it make sense to just wait for that upgrade, or will I have the same problems?</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p>Thanks in Advance for any ideas.</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><p style="min-height: 8pt; padding: 0px;">&#160;</p><div class="mcePaste" style="position: absolute; top: 0px; left: 0px;"></div></div><!-- [DocumentBodyEnd:9cf12615-2251-4d63-85c0-e4e3640fb439] -->2012-02-16T14:52:29Z4 years 10 months ago150